Operation of a security module in a card reader

ABSTRACT

Card reader having a control interface  18  for controlling  12  the card reader from the exterior, and a device for reading data cards, particularly chip cards, and also having a security module  20,  where a request arriving via the control interface  18  is forwarded to the security module  20,  and the latter&#39;s output is reformatted, if appropriate, and is forwarded to the data card, where it is checked.

TECHNICAL FIELD

The invention relates to the flow control in card readers for magneticor chip cards in which a security module is provided.

PRIOR ART

In many areas, particularly in self service appliances such as cashdispenser machines, cards in check-card or credit-card format are usedwhich have magnetically coded tracks or electronic circuits produced inthe card. The latter cards are commonly referred to as chip cards. Whenusing these cards, card readers are required which can be used to makecontact with the chip cards or to read the magnetically codedinformation on magnetic-strip cards.

Such card readers are also used, in particular, to ascertain theidentity of a person using an appliance. For this purpose, the cardshold a coded password, also referred to as a PIN. Besides chip cardscontaining a cryptographic processor, there are also chip cards in usewhich do not allow the password to be read, but only allow it to becompared internally. These chip cards then require the password to betransmitted in plain text via the card reader's external interface whichis provided.

It is therefore an object of the invention to specify a solution whichdoes not require the password in plain text outside of the card reader.

DESCRIPTION OF THE INVENTION

The invention uses the insight that the object can be achieved by asecurity module in the card reader. For this purpose, an encryptedpassword is sent via the external interface, is sent to the securitymodule, is decrypted there and is sent directly to the chip card,generally in recoded form.

Other features and advantages of the invention can be found in thedescription below, which explains the invention using an exemplaryembodiment in conjunction with the appended drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawing,

FIG. 1 shows a schematic illustration of components of a card reader inwhich the invention can be used.

DESCRIPTION OF AN EMBODIMENT OF THE INVENTION

FIG. 1 is a schematic illustration of a card reader 10 in which a card,in this case a chip card 11, can be moved and hence inserted and outputin a guide channel 14. A controller 12 brings about this action using adrive 13. The chip card 11 has contacts 15 which are connected to matingcontacts 16. This action is brought about by the controller 12, possiblytogether with the drive 13 and further means.

The card reader also comprises a security module 20 which is connectedto the controller 12. This security module is designed such that anattempt to open it destroys the stored data. Such a security module 20therefore stores, in particular, keys for symmetrical encryptionmethods. So as not to have to reveal the key, the security moduledecrypts, if appropriate, data which are transmitted to it via theconnection by the controller 12. The interface for such a securitymodule is frequently the same as that for a chip card. It can also be inthe form of a chip card, which means that a second corresponding contactstation is required. Preferably, however, a version for integratedcircuits is used which is more reliable and takes up less space.

In addition, the card reader comprises a control interface 18 which isused to control the card reader. In many cases, this control interface18 is in the form of a serial interface, known by the abbreviation‘V24’. FIG. 1 shows a superordinate controller 31 with a datatransmission link 30 which operates this control interface 18.

Alternatively, such a card reader can also read cards having a magnetictrack, which is not shown in FIG. 1. The contact unit 16 for this can bethought of as a magnetic reading head.

The inventive method is applied as follows, for example:

A chip card 11 belonging to a customer will be assumed to have beenconnected by the contact station 16. The chip card 11 contains a storedpassword, called a PIN in the field of banking. Although this passwordcannot be read, provision is made for the password to be sent to thechip card 11 in plain text and for said chip card 11 then to perform thecheck for identity.

The card readers known to date therefore require the password to betransferred to the control interface 18 in plain text in order for thecontroller 12 to forward it to the chip card. This path is symbolized bythe curved double-headed arrow 22 inside the controller 12. However, thecontrol interface 18 is frequently a standardized interface which isrelatively simple to tap. In addition, the control interface 18 isfrequently operated by a computer having a normal operating system,which could in turn be a target for attacks.

The card reader has access to a security module 20 which contains, inparticular, a decryption section. This security module is operated viathe control interface 18. In particular, an encrypted password is sentfrom the superordinate controller 31 to the security module 20 for thepurpose of decryption, and the decrypted password is sent back via thecontrol interface by the security module. This path is symbolized by thecurved double-headed arrow 21 inside the controller 12. Thesuperordinate controller 31 picks up the password and forms a furtherorder to the controller 12 for the purpose of sending the decryptedpassword to the chip card 11.

The invention avoids transmitting the password via the control interface18 twice by virtue of the controller 12 being designed such that theresult returned by the security module 20 is forwarded, generally afterreformatting, directly to the chip card. This path is symbolized by thecurved double-headed arrow 23 inside the controller 12.

It will be assumed that the control interface has received a commandwhich contains the password in encrypted form. This command ischaracterized, generally by means of a code field, such that it needs tobe passed to the security module 20 and the result of the securitymodule's handling must not be returned via the control interface, butrather can be forwarded only to the chip card. In this case, the resultis precisely the decrypted password which is sent to the chip card. Thechip card makes a comparison with the password stored on it and deliversa statement regarding whether there is a match. To support thisoperation, provision is made for a preliminary instruction to be used tospecify, particularly by specifying a position and a length, where inthe security module's response the decrypted password needs to beextracted. In the same or in a further preliminary instruction, thecontroller is notified of that coded instruction into which theextracted password needs to be fitted. This can be done by specifying acharacter string which needs to be placed in front and one which needsto be placed behind.

The password is preferably encrypted in the actual keypad unit intowhich the user enters the password or the PIN. This means that the areain which the password is visible in unencrypted form is limited to theinterior of the keypad and of the card reader. The devices required forthis purpose are already provided in the keypads on cash machines. Ifappropriate, recoding can also take place if the keypad and the securitymodule have no common key. In this case, the cash machine's controlleris connected to a central control station which has access to both keysin a secure environment and uses the keypad's key for decryption anduses the card reader's key for decryption within this secureenvironment.

In card readers having a magnetic track, the invention can be applied tothe extent that the information needing to be compared with the magnetictrack can be sent to the card reader in encrypted form, is decrypted bysaid card reader and is then compared directly in the card reader withthe data read from the magnetic track. This means that the data are lessexposed to an attack; an attacker planning an attack using a relativelylarge amount of magnetic track data must then get hold of these dataphysically. In this respect, the security is increased at leastslightly.

1. A method of operation for a card reader comprising: providing acontroller having a control interface connected thereto for controllingthe card reader; a card interface for chip cards which can beinterchanged under operational conditions, the card interface beingconnected to the controller; a superordinate controller; and a securitymodule having a module interface which is connected to the controller;generating an authorization request comprising instruction sequences atthe superordinate controller; transmitting the authorization request andan encrypted password to the control interface; forwarding theauthorization request to the security module; producing a decryptedpassword; generating an order at the superordinate controller forforwarding the decrypted password from the security module to the cardinterface; sending the order to the security module via the controlinterface; forwarding the decrypted password to the card interface;comparing, at the chip card, the decrypted password with a passwordstored on the chip card; and producing a statement indicating whetherthere is a match between the decrypted password and the password storedon the chip card.
 2. The method of claim 1, wherein the chip cardproduces the statement indicating whether there is a match between thedecrypted password and the password stored on the chip card.
 3. Themethod of claim 2, further comprising using a preliminary instruction tosend a data record to the controller via the control interface, saiddata record being forwarded to the chip card in combination with thedecrypted password from the security module.
 4. The method of claim 1wherein the superordinate controller controls the card reader from aposition external to the card reader.
 5. A method of operation for acard reader comprising: providing the card reader which can beinterchanged under operational conditions; a controller having a controlinterface connected thereto for controlling the card reader, a cardinterface for the card reader, the card interface being connected to thecontroller; a superordinate controller; and a security module having amodule interface which is connected to the controller; inputting amagnetic track card in the card reader; generating an authorizationrequest comprising instruction sequences at the superordinatecontroller; transmitting the authorization request and an encryptedpassword from the superordinate controller to the control interface;forwarding the authorization request to the security module; producing adecrypted password at the security module; generating an order at thesuperordinate controller for forwarding the decrypted password from thesecurity module to the chip card; sending the order to the securitymodule via the control interface; forwarding the decrypted password fromthe security module via the card interface to the card reader;comparing, at the card reader, the decrypted password with data readfrom the magnetic track card; and producing by the card reader, astatement indicating whether there is a match between the decryptedpassword and the data read from the magnetic track card.
 6. The methodof claim 5, further comprising using a preliminary instruction to send adata record to the controller via the control interface, said datarecord being forwarded to the card reader in combination with thedecrypted password from the security module.
 7. The method of claim 5wherein the superordinate controller controls the card reader from aposition external to the card reader.
 8. A card reader systemcomprising: a controller having a control interface connected theretofor controlling the card reader system; a card interface for receivingchip cards, the card interface connected to the controller; asuperordinate controller coupled to the controller via a datatransmission link; and a security module connected to the controller;wherein the superordinate controller is configured to generate anauthorization request comprising instruction sequences and to transmitthe authorization request and an encrypted password to the controlinterface; wherein the control interface is configured to receive theauthorization request and the encrypted password and to transmit theauthorization request and the encrypted password to the security module;wherein the security module is configured to receive the authorizationrequest from the control interface, and decrypt the encrypted password;wherein the superordinate controller is configured to send an order tothe security module for forwarding the decrypted password to the cardinterface; wherein upon receipt of the order, the security module isconfigured to transmit the decrypted password to the card interface;wherein the card interface is configured to transmit the decryptedpassword to the chip card; and wherein the chip card is configured tocompare the decrypted password with a password stored on the chip cardand to generate a statement indicating whether there is a match betweenthe decrypted password and the password stored on the chip card.
 9. Thecard reader system of claim 8 wherein the controller comprises a controlinterface configured to receive the authorization request from aposition external to the card reader.